When Facebook disclosed earlier this week that a Kremlin-backed group was running a disinformation campaign that hired real journalists to write about domestic politics, one thing stood out: Russian threat actors targeting the election are going to much greater lengths to avoid getting caught.
Following the 2016 presidential election and 2018 midterms, which were marked by a variety of foreign efforts to influence voting behavior, cybersecurity experts and government officials have been on high alert to spot similar campaigns ahead of the upcoming election. However, the Russian threat actors that targeted previous votes have seemed to mostly remain on the sidelines, according to a report released today by Recorded Future.
One explanation is that these groups could simply be waiting for the right moment to act, said Roman Sannikov, the director of cybercrime and underground intelligence at Recorded Future. For example, these groups could release hacked data in an “October surprise” similar to the 2016 leak of breached Clinton campaign-related documents that has since been attributed to the Russian cyber espionage group APT28, Sannikov said.
Another possibility, however, is that the groups are getting harder to detect.
That’s evidenced by the news from Facebook on Tuesday, which highlighted the lengths the Russian Information Research Agency went to conceal what was still a nascent disinformation operation. In that campaign, the IRA created a fake news site called Peace Data, and hired real American freelancers to write for it. The organization also manufactured editor personas using fake social media accounts and computer-generated images of non-existent people. Peace Data operated 13 Facebook accounts and two pages, said Facebook, which suspended the accounts. The FBI said in a statement that it provided information on the campaign to the social media company.
“The Russians are trying harder to hide; they are increasingly putting up more and more layers of obfuscation,” Ben Nimmo, founder of the firm Graphika, which worked with Facebook to release a report on the fake site, told The New York Times.
The IRA has moved much of its infrastructure off Western servers to ones hosted domestically in Russia, Sannikov said, which makes them harder to detect. “At the same time, we’ve seen a lot of proxy activity — Russian operations go through Ukraine and various countries in Africa to make it more difficult for social media companies and law enforcement organizations to attribute this activity to a particular threat group in Russia,” he said.
The increased effort by social media companies to root out influence operations has put pressure on those groups to better hide their activity, Sannikov said.
“It’s like whack-a-mole. These groups are trying very hard — much harder than they did in 2016 — to hide the attribution,” he said.
The IRA is only one of a handful of Russian groups that cybersecurity experts are scrutinizing ahead of the election, though they are all presumed to work on behalf of the Kremlin, Sannikov said. In addition to the IRA, cybersecurity companies and government officials are closely tracking APT28, APT29, GRU Unit 74455, and a number of hybrid threats.
“They’re all striving for the same goal but trying for different tactics, and the most dangerous one will be the one that succeeds,” said Sannikov.
In recent months, APT28 has engaged in activities including malware development, spearphishing, and infrastructure development, according to the report from Recorded Future. The group was engaged in targeted intrusions into political groups during the 2016 and 2018 elections, and has been connected to hack-and-leak operations aimed at destabilizing the voting process. APT29 has also been active in recent months, but the activity hasn’t been tied to the election, according to the report. The group, which was engaged in intrusions against the Democratic National Convention, has notably used novel tool sets against COVID-19 research-related targets. Sandworm, a threat group affiliated with GRU Unit 74455, has recently engaged in vulnerability exploitation, but without clearly identified links to specific targets, according to the Recorded Future report.
The Russian groups aren’t the only threats that election officials are worried about. In August, William R. Evanina, the director of the National Counterintelligence and Security Center, released a statement that said the intelligence community was primarily concerned with election-related activity from Russia, China, and Iran. Sannikov said that Russia will likely be the greatest threat, since China and Iran — as well as other hacking threats such as North Korea — have focused their efforts on influencing their own populations.
“The aim is the same overall: to destabilize and delegitimize elections in the West in general, and right now in the U.S. specifically, because that’s the next big one coming up,” said Sannikov. “Most recent elections in Russia have been questioned by the West for not being conducted in a free and fair way. By delegitimizing elections in the West, it allows Russia to legitimize their own — it sends a message that you can’t criticize our process if you can’t clean your own house.”